How to Recognize a Phishing Scam

/in , /by

So someone comes up to you in a restaurant—a complete stranger—and asks to look at your driver’s license. What do you do? Show it to that person? You’d have to be one loony tune to do that.

3DHowever, this same blindness to security occurs all the time when a person is tricked by a “phishing” e-mail into typing in the password and username for their bank, or it may be the login credentials for their PayPal account or health plan carrier.

Phishing e-mails are a favorite scam of cyber criminals. THEY WORK.

When a cyber thief goes phishing, he uses a variety of bait to snag his prey. Classic examples are subject lines that are designed to get the recipient to immediately open the message and quickly react to it, such as an announcement you owe money, have won a prize or that your medical coverage has been cancelled.

And to resolve these problems, you’re asked to log into your account. This is where you place your account credentials into the palm of the thief on the other end of these e-mails.

  • Phishing e-mails may address you by name (the hacker already knows about you), but usually, your name is nowhere mentioned.
  • The e-mails usually contain at least one link they want you to click. Hover your mouse to see what the URL is. It may appear legit, but note the “http” part. Reputable sites for giant businesses, such as Microsoft and PayPal, will have an “https” in their URL. The phishing link’s URL will usually not have the “s.”
  • A big red flag is if there are typos or poorly constructed sentences, but a phishing e-mail may also have flawless text.
  • Don’t be fooled by company logos, stock imagery, privacy policies, phone numbers and other formalities in the message field. It’s so easy for a hacker to put these elements in there.
  • Be leery of warnings or alerts that don’t sound right. Gee, why would your account be “in danger of being suspended”?

The links will take you to a phony site that looks like the real thing and ask you for your login credentials, credit card information, etc. Another way this scam works is by downloading a virus to your computer after you click on the link. Sometimes there’s an attachment that you’re urged to open. The lure might be that it’s a survey from your bank or a report to review from your employer.

A phishing e-mail may still look like the real deal. So how do you protect yourself? Never click on links inside e-mails. Don’t open attachments unless they’ve been sent from someone you personally know. If you think it’s from your company, healthcare plan or bank, then whip out your phone and call the company to see if they sent you the e-mail.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Don’t Name Your Dog After Your Password

/in /by

Recently I got a puppy for my child. We decided to name the puppy 4wgu23x5#9. My wife,8yysH3m, thought we should name the dog 0x2%#b5. But I’m sure she’ll get over it. Meanwhile, I’m helping my older child with setting up a few social media accounts, and I suggested the two passwords: Rover and Spot.

5DIs there something wrong with this picture?

Of course! But this picture replays itself millions of times over all the time, as people name their passwords after their pets, family members or favorite sports teams. Don’t do online what you wouldn’t do in real life.

When creating passwords remember that you should avoid using things that are personal to you and that could be easy for a hacker to find out about you. Things like your pet’s name, maiden name, birthday, name of your high school and child’s name can be easily found on social networks, making it even easier for hackers to crack your passwords.

Here are some other great tips to make sure that your passwords are strong and protected:

  • Make sure your passwords are at least eight characters long and include numbers, letters and characters that don’t spell anything.
  • Use different passwords for separate accounts, especially for banking and other high-value websites.
  • Change your passwords frequently.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Craigslist encounter ends very badly

/in , /by

At least one woman is happy that her driver drove like a drunk. That’s because his erratic driving caught the attention of troopers who pulled him over. They then heard a woman calling for help—from the backseat. She was bound and gagged with a bag over her head.

emailThe 41-year-old man had posted an ad on Craigslist; he wanted a submissive partner. His phony profile attracted the 22-year-old woman (who I must wonder, why would she be interested in a man who wants a submissive partner? Doesn’t this sound mighty suspicious?).

The victim chatted online and agreed to meet him. She thought nothing of meeting him in a secluded, remote location near his home.

Then she got into his car. Once inside, she noticed that he didn’t even look anything like the photo he had sent her.

Let’s stop here a moment. Just how dark was their initial meeting spot that she didn’t realize then that he looked nothing like the picture?

She told him to pull over. Instead he assaulted her and tied her up, tossing her in the backseat. She kicked at the man and backseat, causing him to swerve like a drunk.

None of this would have happened had she insisted on meeting in a public spot, and severing the connection with him if he kept insisting on the secluded, dark area.

How to Fight off an Attacker

  • Hit the gym and strengthen your body. Not only will a strong-looking body make a man think twice about attacking, but if he does, a strong body has a much better chance of fighting back and/or escaping.
  • We all know to go for the groin. Go after it like a savage. Hit, yank, pull.
  • Jab stiff fingers into his eye. Why this is rarely done I’ll never know, because it’s extremely effective.
  • Basic self-defense techniques, delivered to the neck, can stun a man and give you time to escape.
  • Slam a palm into his nose. Keep going after it. The pain and gush of blood will disorient him. A self-defense course will teach you how to elbow his nose if he’s behind you.
  • Smash a foot into his knee. You have a better chance of bringing him down if you come in from the side—because your foot will be striking against ligaments, rather than bone.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Most Toxic Superheroes 2015: Super Powers, Super Risky!

/in /by

The King of Atlantis! The Protector of the Seas and Oceans! A beloved member of the Justice League! It’s none other than Aquaman! While he is most well-known for his ability to control marine animals and breathing underwater, he is also the superhero who poses the biggest threat to you online, according to Intel Security’s list of Most Toxic Superheroes.

Superhero movies and television shows are booming like never before. They have been resurrected and reinvented with the new and improved costume designs and insane special effects we see on the big screen. This superhero craze is drawing in everyone from the youngsters, who tend to idolize the men and women of courage, all the way up to the older generations, who grew up with some form of these heroes, and everyone in between.

With the advancement of technology and accessibility, information on these superheroes can be retrieved online at all times. As a result, adults and kids alike need to be wary of the websites they use when they are accessing information on their favorite characters. While you might not think searching for one’s favorite superhero could be dangerous, you may want to take a step back and use caution before randomly clicking on a potentially harmful website.

Originally introduced as a backup feature in 1941, Aquaman has since become a prominent part in the DC universe, and a founding member of the Justice League. Fans express an admiration for his dual obligation to the citizens of the land and sea, as well as his honorable nature. Other than his abilities to breathe underwater and to control marine animals, he also possesses superhuman strength and impervious skin.

After long being the subject of ridicule for his rather interesting array of superpowers, the Dweller of the Depths himself returns to the top of the annual Most Toxic Superheroes list revealed by using McAfee SiteAdvisor having a risk percentage of 20%, close to that of the 2013 list where he came in first with 18.6%.

The Most Toxic Superheroes list is compiled by using McAfee SiteAdvisor that rates websites by risk level that contain the superhero search terms on the most popular search engines (Google, Bing, and Yahoo!). SiteAdvisor informs you of potentially dangerous websites through color coded levels of risk, from green, to yellow, to red that signal when it is okay to click, and when you should skip a particular website.

This year’s Most Toxic Superheroes are:

MTS_Infographic_2015

Whether you are searching online from your PC or mobile device, here are some tips you can use to help you stay safe:

  • Be suspicious: Be wary of searches that turns up a link to free content or too-good-to-be-true offers.
  • Double-check the Web address: Look for misspellings or other clues that the site you are going to may not be safe.
  • Search safely: Use a safe search plug-in, such as McAfee SiteAdvisor software that displays a red, yellow, or green ratings in search results, warning you to potential risky sites before you click on them.
  • Protect yourself: Use comprehensive security software on all your devices, like McAfee LiveSafe™, to protect yourself against the latest threats.

Robert Siciliano is an Online Safety Expert to Intel Security. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked!

Catphishing is a Heartless Scam

/in , /by

When someone online presents as a different person than their true self, this is called catphishing, and it occurs on online dating sites.
heartbleed

  • Google the name of the object of your interest. Obviously, “Kelly Smith” and “John Miller” won’t get you far, but “Jaycina McArthur” just might. What comes up?
  • See if they have social media accounts, as these suggest they’re a real person. But the absence doesn’t prove they’re a phony, either. Not every legitimate person is into the social media thing.

Here are warning signs:

  • More than one profile on a social media site.
  • Few friends or followers on social media (but then again…this doesn’t prove they’re a catphisher. Remember, Hitler had a million followers, and Christ had only 12!).
  • Photos don’t include other people.
  • Photos are headshots rather than of activities.
  • They find a way to contact you other than through the matchmaking service.
  • They quickly show neediness and request money.
  • They quickly proclaim “you’re the one” despite never having met you in person.

Additional Steps

  • Right click their photos to see where else they are online. Is it them on other sites or some model’s or real estate agent’s picture?
  • Copy and paste excerpts from their profiles and see if they show up elsewhere.
  • It may seem counterintuitive, but if you’re interested, ask for a face-to-face correspondence early on in the relationship (like a week or so into it) so that you don’t waste time getting dragged down by what ultimately turns out to be a catphisher.
  • If the person doesn’t use Skype, ask for a local meeting in a crowded public spot (assuming it’s a local person).
  • If they back down from a face-to-face meeting, be suspicious. They’re not necessarily after your money, but that 6-2, 180pound stud might actually be a 5-7, 240 pound guy who’s 10 years older than what his profile says.
  • Don’t reveal private information like where you work. Make sure there’s nothing revealing about your location on your social media profiles. A catphisher will want this information.
  • Be highly suspicious of someone who wants to know a heck of a lot about you—like if your parents live in town, what kind of home you live in, how much you earn, etc.

Trust your gut. If he or she sounds too perfect, they’re probably fakes.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.

Beware of Vacation Rental Scams this Summer

/in , , /by

Talk about getting taken to the cleaners: Imagine you spot a great summer rental property advertised online. Looks wonderful. The deal sounds too good to be true, but the owner tells you (via e-mail or even phone) that the fee is correct. You apply for the rent and send in the required upfront payment.

9DThen you head down there for the first time to see an empty lot. It then dawns on you that the owner was really a crook who used some photo he found online and advertised it for rent. And if losing your money isn’t bad enough, the thief now has other private information on you like your Social Security number.

How can you protect yourself if the property is too far away to check out in person? Limit yourself to only local rental properties that you can actually physically check out first? Whether or not you can do that, here are safeguards:

  • Copy and paste the rental description into a search engine. If it shows up elsewhere consider it a scam. However…a smart crook will alter the wording so that this doesn’t happen!
  • Google the listed address and see if it matches up. Google any other information connected with the ad, such as the landlord’s name.
  • If you locate the property on another site that lists it for sale, the rental ad is a scam.
  • Request a copy of the owner’s driver’s license to verify property records at your county assessor’s office.
  • If you can’t physically visit the property, use an online map to get a full view, including aerial, to make sure it actually exists. But this doesn’t rule out scam. The property may exist alright, but the ad you’re interested in was not placed by the owner, who’s either not renting at all or might be selling the place.
  • Conduct all communication by phone.
  • Never wire transfer an upfront payment or pay via prepaid debit card—two red flags for a scam. Pay via credit card.

Honest landlords can be scammed, too. They should search the information of responders to their ads to see what comes up.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Consumers smartening up to Privacy Issues

/in /by

According to a recent report from Pew Research, many Americans take privacy seriously—as in the cyber kind, but also offline. 2P

  • 9% of survey respondents thought they had strong control over how much of their personal information was collected and shared.
  • 38% thought they had moderate control; 37% believed they had little control; 13% said they had zero control.
  • 25% used temporary e-mail addresses or usernames for some online activities.
  • 24% gave non-truthful information about themselves (e.g., when registering on a site to post comments, a single woman might indicate that she’s a married man; or a childless person might indicate that he has kids).
  • 59% cleared their browser and cookies.
  • 47% avoided giving out non-relevant information for online transactions.
  • 55% remained anonymous for some online activities.
  • 74% believe the government should have better limits to collecting people’s data.

Why don’t more people do things in the name of privacy like adjust the settings of their accounts or smartphone? For starters, some don’t want to hassle with “techy” things, while others don’t think it’ll make any difference. Some just aren’t worried all that much and have nothing to hide. Others don’t want to pay more money for more security. And some are clueless over how much of their data gets shared, such as those who blindly allow mobile apps “permissions.”

Some users also know that higher privacy, in general, comes with slower loading times and other inconveniences. People want efficient usability. Nevertheless, people are getting cranky.

For example, the U.S. Drug Enforcement Administration was surveilling Americans’ phone calls overseas. They’ve now been sued. Secondly, the Stop Online Piracy Act was on the brink of being shelved, but lawmakers put a stop to these plans.

The National Security Agency’s metadata program with bulk phone calls was recently deemed illegal after the American Civil Liberties Union brought a lawsuit to the U.S. federal appeals court.

And that’s just a sample. There are more lawsuits in the works in the name of Americans’ privacy rights.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

ATM Skimming rising, again

/in , /by

Do you know what ATM stands for? For crooks, it stands for A Thief’s Moneymaker.

http://www.dreamstime.com/stock-photos-identity-theft-red-words-binary-code-computer-monitor-image39907813A new report from FICO says that “skimming” crimes have made their biggest spike in the past 20 years. This includes ATMs on bank premises, but of course, public ATM kiosks have seen the biggest spike.

The thief tampers with the ATM’s card receiver; the installed gadget collects card data which the thief retrieves later. “Skimming,” as this is called, also refers to capturing the PIN via a hidden camera.

With the stolen data, thieves craft phony debit cards, which they then use at ATMs or for purchases. In seconds, your bank account could be sucked dry—poof!

ATM users normally do not know that a skimming device is in place; they just swipe their card. The thief will come back to collect the skimmed data (likely in the middle of the night).

  • He downloads your data.
  • He burns it to a blank ATM card.
  • He drains your bank account first chance he gets or goes on a wild shopping spree.
  • All of this can happen within minutes to hours.
  • The hidden camera may be concealed by a brochure slot near the machine—placed there by the crook himself—with bank brochures he got from inside the bank.
  • The camera may be hidden in a nearby lighting fixture or even attached somewhere on the ATM.

Prevent Getting Skimmed

  • Use only ATMs inside banks if possible. The riskiest locations are restaurants, bars, nightclubs and public kiosks.
  • Regardless of ATM location, inspect the machine. A red flag is if the scanner’s colors don’t jibe with the rest of the machine.
  • Jiggle the card slot to see if it feels like something’s attached to it.
  • Inspect card slots at gas stations and other non-ATM devices that scan your debit card.
  • Look around for areas a camera might be hidden. Even if all seems clear, cover your hand when you enter the PIN.
  • Try to get away from using a debit card at all. At least with a credit card, you can dispute fraudulent charges before you lose any money (up to 60 days), but with a credit card, you have only a few days to do this.
  • Frequently check your bank and credit card statements.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. Disclosures.

Check out Google’s Password Alert

/in /by

Cyber crooks have phony websites that masquerade as the legitimate site you want to log onto. They’ve spun their web and are just waiting for you to fly into it. Google now has Password Alert, which will tell you if you’ve landed into such a non-Google web.

2DFor the Chrome browser, this extension will prompt the user to change their password.

When you change a password (regardless of reason) or sign up for a new account and it’s time to come up with a password…don’t just make up an easy word to remember or type.

  • No part of the password should contain actual words or proper names.
  • Each account, no matter how many, should have a different password.
  • If allowed, use a mix of characters, not just numbers and letters.
  • Use a password manager to eliminate the excuse of “I can’t remember a zillion passwords so that’s why I use the same one for multiple accounts.”

Even a strong password, when used for multiple accounts, can present a problem, because if that password gets in the hands of a cyber thief, he’ll then be able to access not just one—but all of your accounts with that password.

A different password for every account at least means that if any password gets into the bad guy’s hands, he’ll only be able to hack into one account per password.

And how might he get the password if it’s long, strong and full of different characters in the first place? By the user being tricked into giving it to him.

This is most often accomplished with a phishing attack: an e-mail that fools the user into thinking it’s from an account they have, such as PayPal, Microsoft or Wells Fargo. The message states there’s a problem with their account and they need to log in to get it fixed. The truth is, when you log in, you’re giving out your crucial login information to the villain.

However, Password Alert will intercept this process. And immediately, so that you can then quickly change the password and protect your account before the thief has a chance to barge into it.

Other Features of Password Alert

  • Many sites are phony, appearing to be legitimate Google sites. Password Alert will spot these sites by inspecting their codes when you visit them. You’ll then get an alert so you can get out of there fast.
  • Password Alert has a database that stores your passwords in a very secure way called a “hash.” This is the reference point that Password Alert uses every time you enter your password into the login field, to make sure you’re not entering it on a malicious site.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Apple’s bizarre Crashing Text and how to fix

/in /by

Of all the weird things that can happen to your iOS device, the latest is a relatively benign situation in which a string of text is sent to the phone…and it causes the phone to crash.

http://www.dreamstime.com/stock-images-online-risks-sign-road-banner-image34668294The phone will reboot if the particular nonsensical text string is received while the phone is locked.

Data won’t be stolen; nobody will gain remote control of your device (yet); but heck, who wouldn’t be very annoyed that their phone crashes? And this is going on all over the world. The text characters can also be sent from any device. Apple says it will get this problem fixed.

But in the meantime, there are things you can do to undo the problem.

Mac Users

  • Reply to the gibberish text in iMessage, and the reply can be any string of text.

If you don’t have a Mac:

  • Send a text message via a third-party application by using its share feature.
  • Ask Siri to issue a reply or “read unread messages.” Then reply to free your Messages.
  • When you’re in Messages, delete the whole chain.
  • If you know who sent the crazy message, ask them to send a follow-up message.

A software update will soon be coming from Apple that will include a fix to this situation.

Robert Siciliano personal and home security specialist to BestHomeSecurityCompanys.com discussing burglar proofing your home on Fox Boston. Disclosures.